Security Enhanced Linux

Security-Enhanced Linux (SELinux) is a Linux kernel security module which allows users and administrators more control over which users and programs can access which resources, such as files.

SELinux controls are determined by a policy loaded on the system and not changeable by careless users or misbehaving applications. SELinux also adds finger granularity to access controls. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only and move a file and so on.

SELinux provides a flexible Mandatory Access Control (MAC) system built into the Linux kernel. Under standard Linux Discretionary Access Control (DAC), an application or process running as a user has the user’s permissions to objects such as files, sockets and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system.

SELinux Decision Making Process.

When a subject, (for example, an application), attempts to access an object (for example, a file), the policy enforcement server in the kernel checks an access vector cache (AVC), where subject and object permissions are cached.

If a decision cannot be made based on data in the AVC, the request continues to the security server, which looks up the security context of the application and the file in a matrix.

Permission is then granted or denied, with an avc: denied message detailed in /var/log/messages if permission is denied.

The security context of subjects and objects is applied from the installed policy, which also provides the information to populate the security server’s matrix.

Important Configuration File.

The main configuration file for SELinux is /etc/selinux/config. We can run the following command to view its contents

cat /etc/selinux/config

The output will look something like this

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

SELinux Modes

SELinux can be in any of three possible modes:

  • Enforcing
  • Permissive
  • Disabled

In enforcing mode SELinux will enforce its policy on the Linux system and make sure any unauthorized access attempts by users and processes are denied. The access denials are also written to relevant log files.

Permissive mode is similar to Debugging mode. In this mode, SELinux policies and rules are applied to subjects and objects, but actions are not affected. The biggest advantage of Permissive mode is that log files and error messages are generated based on the SELinux policy implemented.

The disabled mode is self-explanatory – the system won’t be running with enhanced security.

SELinux Policy

SELinux Policy is rules that define the security and access rights for everything in the system. It uses roles to limit the domains that can be entered, and has user identities to specify the roles that can be attained.

SELinux Context

Processes and files are labeled with a SELinux context that contains additional information, such as a SELinux user, role type, optionally, a level.

Booleans

Booleans are variables that can either be set as true or false. Booleans enhance the effect of SELinux policies by letting the system administrator fine tunr a policy. A policy may protect a certain demon or service by applying various access control rules.

To check the SELinux mode

# getenforce
Enforcing
#

# sestatus
SELinux status:             enabled
SELinuxfs mount:            /selinux
Current mode:               enforcing
Mode from config file:      enforcing
Policy version:             24
Policy from config file:    targeted
#

Display SELinux context of a file or directory.

# ls -lZ file1.txt
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 file1.txt
#

# ls -ldZ root
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 root
#

Display SELinux context of a Process

# ps -efZ |grep http
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2600 2564 0 23:24 pts/0 00:00:00 grep http
#

Changing SELinux Context of a file or directory.

Check existing context of the file

# ls -lZ file1.txt
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 file1.txt
#

Observe that the type is admin_home_t, let’s change it to public_content_t, so that it will be available for all users.

To change the context of a file:

# chcon -t public_content_t file1.txt
# ls -lZ file1.txt
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file1.txt
#

To change the context of a directory:

# chcon -R -t public_content_t root

# ls -ldZ root
dr-xr-x---. root root system_u:object_r:public_content_t:s0 root
#

Restoring back the modified SELinux context to its defaults.

# restorecon file1.txt

# ls -lZ file1.txt
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 file1.txt
#

# restorecon -R root
# ls -ldZ root
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 root
#

Changing the modes of SELinux

To change the mode of SELinux the syntax is

# setenforce option

Options :

0 – Permissive
1 – Enforcing

To change SELinux mode to Permissive

# setenforce 0

# getenforce
Permissive
# sestatus
SELinux status:              enabled
SELinuxfs mount:             /selinux
Current mode:                permissive
Mode from config file:       enforcing
Policy version:              24
Policy from config file:     targeted
#

To change SELinux mode to Enforcing mode

# setenforce 1
# getenforce
Enforcing
# sestatus
SELinux status:             enabled
SELinuxfs mount:            /selinux
Current mode:               enforcing
Mode from config file:      enforcing
Policy version:             24
Policy from config file:    targeted
#

Checking the Booleans and modifying it.

To see the Booleans of a perticular service,

# getsebool -a |grep servicename

# getsebool -a |grep ssh
allow_ssh_keysign --> off
fenced_can_ssh --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
#

If grep not used, it will list all booleans for all services in the system.
Boolean can only be checked when SELinux is in enforcing or permissive mode. If SELinux is disabled, Booleans can’t be changed.

To change any boolean, copy the Boolean and give the option (on/off)

# setsebool ssh_sysadm_login on

# getsebool -a |grep ssh_sysadm_login
ssh_sysadm_login --> on
#

To change it back,

# setsebool ssh_sysadm_login off
# getsebool -a |grep ssh_sysadm_login
ssh_sysadm_login --> off
#

Disabling and Enabling SELinux Security.

Edit the /etc/selinux/config file and change SELINUX=disabled. Whenever changing the mode, we need to restart the system so that changes can take effect.

# getenforce
Enforcing
# vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# init 6

# getenforce
Disabled
#

# sestatus
SELinux status: disabled
#

To Change it back, set SELINUX=enforcing or SELINUX=permissive and restart the system.

# getenforce
Disabled
#

# vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# init 6

# getenforce
Enforcing
#

# sestatus
SELinux status:          enabled
SELinuxfs mount:         /selinux
Current mode:            enforcing
Mode from config file:   enforcing
Policy version:          24
Policy from config file: targeted
#

 

Advertisements